enhance: add build_id and actor_id to claims

go-vela · May 29, 2024 · ce82c32 · ce82c32
1 parent 9d6aeb1
commit ce82c32
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/api/build/id_token.go b/api/build/id_token.go
@@ -77,15 +77,16 @@ func GetIDToken(c *gin.Context) {
 	// capture middleware values
 	b := build.Retrieve(c)
 	cl := claims.Retrieve(c)
+	ctx := c.Request.Context()
 
 	// update engine logger with API metadata
 	//
 	// https://pkg.go.dev/github.com/sirupsen/logrus?tab=doc#Entry.WithFields
 	logrus.WithFields(logrus.Fields{
-		"build": b.GetNumber(),
-		"org":   b.GetRepo().GetOrg(),
-		"repo":  b.GetRepo().GetName(),
-		"user":  cl.Subject,
+		"build":   b.GetNumber(),
+		"org":     b.GetRepo().GetOrg(),
+		"repo":    b.GetRepo().GetName(),
+		"subject": cl.Subject,
 	}).Infof("generating ID token for build %s/%d", b.GetRepo().GetFullName(), b.GetNumber())
 
 	// retrieve token manager from context
@@ -108,7 +109,7 @@ func GetIDToken(c *gin.Context) {
 	}
 
 	// mint token
-	idt, err := tm.MintIDToken(idmto, database.FromContext(c))
+	idt, err := tm.MintIDToken(ctx, idmto, database.FromContext(c))
 	if err != nil {
 		retErr := fmt.Errorf("unable to generate build token: %w", err)
 		util.HandleError(c, http.StatusInternalServerError, retErr)

diff --git a/api/types/oidc.go b/api/types/oidc.go
@@ -21,7 +21,9 @@ type OpenIDConfig struct {
 // includes information relevant to OIDC services.
 type OpenIDClaims struct {
 	BuildNumber int    `json:"build_number,omitempty"`
+	BuildID     int64  `json:"build_id,omitempty"`
 	Actor       string `json:"actor,omitempty"`
+	ActorID     string `json:"actor_id,omitempty"`
 	Repo        string `json:"repo,omitempty"`
 	TokenType   string `json:"token_type,omitempty"`
 	Image       string `json:"image,omitempty"`

diff --git a/internal/token/mint.go b/internal/token/mint.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strconv"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -129,7 +130,7 @@ func (tm *Manager) MintToken(mto *MintTokenOpts) (string, error) {
 }
 
 // MintIDToken mints a Vela JWT ID Token for a build.
-func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (string, error) {
+func (tm *Manager) MintIDToken(ctx context.Context, mto *MintTokenOpts, db database.Interface) (string, error) {
 	// initialize claims struct
 	var claims = new(api.OpenIDClaims)
 
@@ -146,9 +147,22 @@ func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (strin
 		return "", errors.New("missing build id for ID token")
 	}
 
+	if len(mto.Build.GetSender()) == 0 {
+		return "", errors.New("missing build sender for ID token")
+	}
+
 	// set claims based on input
 	claims.BuildNumber = mto.Build.GetNumber()
+	claims.BuildID = mto.Build.GetID()
 	claims.Actor = mto.Build.GetSender()
+
+	// retrieve the user id for the actor
+	u, err := db.GetUserForName(ctx, mto.Build.GetSender())
+	if err != nil {
+		return "", errors.New("unable to retrieve build sender user ID for ID token")
+	}
+
+	claims.ActorID = strconv.Itoa(int(u.GetID()))
 	claims.Repo = mto.Repo
 	claims.Event = fmt.Sprintf("%s:%s", mto.Build.GetEvent(), mto.Build.GetEventAction())
 	claims.SHA = mto.Build.GetCommit()
@@ -168,7 +182,7 @@ func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (strin
 	tk := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 
 	// verify key is active in the database before signing
-	_, err := db.GetActiveJWK(context.TODO(), tm.RSAKeySet.KID)
+	_, err = db.GetActiveJWK(context.TODO(), tm.RSAKeySet.KID)
 	if err != nil {
 		if !errors.Is(err, gorm.ErrRecordNotFound) {
 			return "", fmt.Errorf("unable to get active public key: %w", err)